Don’t Let Hackers Hijack Your Cause: A Charity’s Guide to Cyber Safety & Legal Duties

Book Free Consultation

Person working on laptop and phone, reviewing code to protect against charity fraud.
Jump to...

Introduction

Cyber security is an essential responsibility for every Australian charity and not-for-profit (NFP) organisation. As prime targets for cybercrime, charities and NFPs are uniquely vulnerable due to their handling of sensitive data, often combined with limited resources and training. A successful cyber attack can have devastating consequences, including severe financial loss, the exposure of donor and beneficiary data, and lasting reputational damage that undermines community trust.

To safeguard their mission, it is critical for these organisations to understand both their security vulnerabilities and their legal obligations. This guide offers a practical framework for building cyber resilience, covering how to identify common cyber security threats, comply with key Australian laws and governance standards, and implement a checklist of protective measures to secure your organisation.

Why Cyber Security is Critical for Your Not-for-Profit Organisation

The Unique Vulnerabilities of the Charity & Not-for-Profit Sector

Charities and not-for-profits (NFPs) are prime targets for cybercriminals due to a unique combination of factors. These organisations often handle highly sensitive information about vulnerable beneficiaries, donors, and members, making them attractive to attackers seeking valuable data. Moreover, the high level of public trust in this sector can be exploited by malicious actors.

Several factors contribute to the increased vulnerability of the charity sector:

Vulnerability FactorDescription
Limited Resources & FundingMany charities lack dedicated budgets for robust technology, cyber security measures, or IT staff. A 2023 report noted 88% of surveyed NFPs had no budget for cyber threat protection.
Lack of TrainingWithout adequate resources, comprehensive cyber security awareness training for staff and volunteers is often a low priority, increasing the risk of human error.
Inadequate Digital CapabilitiesMany NFPs are still developing their digital competency. While only 49% of organisations have an information security policy, many acknowledge their digital skills need improvement.

The Devastating Consequences of a Cyber Attack

The impact of a cyber security incident can be devastating for a charity, extending far beyond immediate financial loss. A successful attack can disrupt operations, compromise sensitive data, and severely damage an organisation’s reputation. According to one report, one in five Australian charities and NFPs fear that a cyber attack would completely devastate their organisation.

The consequences of a security breach are multifaceted and include:

Consequence of Attack
Financial & Resource LossIncludes direct theft of funds, costs to restore data and repair systems, and resources required to manage the attack’s aftermath.
Data Breaches & Harm to IndividualsThe exposure of personal and sensitive information can cause significant emotional and financial harm to beneficiaries, donors, staff, and volunteers.
Reputational Damage & Loss of TrustA data breach can erode public confidence, jeopardising future funding, community support, and the organisation’s ability to fulfil its mission.
Breach of Legal & Regulatory ObligationsCan lead to breaches of the Privacy Act 1988 (Cth) and non-compliance with ACNC Governance Standards, resulting in investigations and significant financial penalties.

Understanding Key Cyber Security Threats to Your Charity

Phishing & Business Email Compromise

Phishing is a common cyber security threat where criminals impersonate a trustworthy individual or organisation through deceptive emails or messages. The primary goal is to trick staff or volunteers into revealing sensitive information or installing malicious software.

These fraudulent communications often appear sophisticated and legitimate, making them particularly dangerous because:

  • They target passwords and financial details
  • They may contain harmful links or attachments
  • They can be difficult to identify as fraudulent

A particularly damaging form of this cybercrime is Business Email Compromise (BEC). In this type of attack, cybercriminals:

  • Hack into existing email accounts or create very similar domain names
  • Impersonate someone within your organisation or a trusted partner
  • Attempt to deceive staff into making fraudulent payments

For instance, a finance officer might receive a fake email trail that appears to approve an urgent invoice, leading to the transfer of charity funds directly to the criminal’s account.

Ransomware Attacks

Ransomware is a type of malicious software that can have devastating consequences for an NFP. Once it infects your systems, it works by encrypting your files and data, effectively locking you out and rendering them inaccessible.

The attackers then demand a ransom payment, typically in cryptocurrency, in exchange for restoring your access. However, the threat extends beyond just losing access to your data.

Cybercriminals may also escalate their demands by:

  • Threatening to permanently delete your files
  • Threatening to publish stolen sensitive information online if the ransom isn’t paid

This creates a dual risk of operational disruption and a serious data breach, which can severely harm both your charity’s reputation and the communities you serve.

Your Charity’s Legal Obligations for Data Protection

Complying with the Privacy Act & Australian Privacy Principles

The Privacy Act 1988 (Cth) is the national law that regulates how private organisations in Australia must handle personal information. Your NFP must comply with this Act if its annual turnover exceeds $3 million. However, the Act can also apply to smaller NFPs under specific circumstances.

Your charity may still have legal obligations under the Privacy Act 1988 (Cth) if it:

  • Provides a health service, even if it is not your primary activity
  • Is a contracted service provider for an Australian Government contract
  • Sells or purchases personal information, or trades it for a benefit
  • Is related to a larger organisation that is covered by the Act

The Act sets out the Australian Privacy Principles (APPs), which are standards for collecting, using, disclosing, securing, and disposing of personal information. For any charity handling data, APP 11 is particularly important as it requires you to take active steps to protect and secure the personal information you hold.

Additionally, the Notifiable Data Breaches (NDB) scheme mandates that you notify affected individuals and the Office of the Australian Information Commissioner (OAIC) if a data breach is likely to result in serious harm.

Adhering to ACNC Governance Standards

Directors of charities registered with the ACNC must adhere to the ACNC Governance Standards. These are a set of core, minimum standards that dictate how charities should be governed. Two standards are especially relevant to your organisation’s cyber security and data protection duties:

ACNC Governance StandardRelevance to Cyber Security & Data Protection
Governance Standard 3Requires a charity to comply with all applicable Australian laws, including data protection obligations under legislation such as the Privacy Act 1988 (Cth).
Governance Standard 5Outlines the duties of directors to act with reasonable care and diligence, which includes taking active steps to mitigate operational risks like cyber threats.

The Duties of Directors for Reasonable Care & Diligence

Under ACNC Governance Standard 5, every director, board member, or responsible person has a duty to act with reasonable care and diligence. This duty is not diminished if a director lacks specialised knowledge in IT or data security. The ultimate responsibility for managing cyber risks rests with the charity’s leadership.

If directors do not possess the necessary technical expertise, they are expected to seek expert advice to help them effectively mitigate cyber risks. However, it is crucial to remember that even when external experts are engaged, the directors remain ultimately responsible for the decisions made and the steps taken to ensure the organisation’s cyber resilience.

This duty also requires directors to act honestly and fairly in the best interests of the charity. This involves carefully considering how data protection decisions could impact:

  • The charity’s beneficiaries
  • Members
  • Donors
  • Employees

By fulfilling these obligations, directors ensure that sensitive information is properly safeguarded across all aspects of the organisation’s operations.

A Practical Cyber Security Checklist for Protecting Your Charity

Identify & Assess Your Information Assets

The first step in building cyber resilience for your charity is to understand what information you hold and why it is valuable. Creating an information asset register is a crucial exercise that helps your organisation catalogue its data, assess its importance, and identify potential risks. This process allows you to focus your protection efforts where they are most needed.

An information asset register helps your NFP identify:

Element to IdentifyPurpose in an Information Asset Register
Types of information heldCatalogue data such as donor details, beneficiary records, financial data, and employee information.
Where assets are storedNote whether data is held on local servers, in the cloud, or on physical devices.
Value of each assetDetermine which information is most critical to your operations and mission.
Who has accessList the staff, volunteers, or third parties who can access specific data.
Assets posing significant riskPinpoint sensitive information that, if compromised, could cause the most harm.

By conducting this assessment, your charity can analyse the likelihood and potential impact of a cyber incident on each asset. This allows you to develop targeted strategies to mitigate the most significant cyber risks and ensure business continuity.

Essential Prevention Strategies & Technical Controls

Once you have identified your critical assets, you can implement practical measures to protect them. There are several essential prevention strategies and technical controls that can significantly strengthen your organisation’s cyber security posture. Many of these are low-cost and can be implemented by any NFP.

Key preventative actions for your charity include:

Prevention StrategyDescription & Importance
Turn on multi-factor authenticationAdds an extra security layer beyond a password, making it much harder for criminals to access accounts. It should be used for all critical systems.
Keep software & systems updatedRegular updates contain patches for security vulnerabilities that cybercriminals could otherwise exploit.
Perform regular data backupsStoring secure, separate backups ensures you can restore your data after a ransomware attack or system failure.
Limit & control accessEnsure staff and volunteers can only access information they need, and restrict administrator privileges to reduce potential damage if an account is compromised.
Use effective password practicesEncourage long, unique passphrases for every account. A password manager can help staff create and store strong credentials securely.
Protect your devices & networkInstall antivirus software to detect and remove malware, and use a firewall to prevent unauthorised access to your network.

The Importance of Cyber Security Awareness Training

Technology alone cannot protect your organisation from all cyber security threats. Human error remains a significant vulnerability, making staff and volunteer training a critical line of defence. Cultivating a culture of cyber security awareness is the collective responsibility of everyone in your charity, from board members to part-time volunteers.

Training empowers your team to become a human firewall, capable of identifying and mitigating potential risks before they cause harm.

A comprehensive training program should cover:

  • Recognising common cyber threats, particularly phishing emails, fraudulent invoice requests, and other scams.
  • Understanding how to handle personal and sensitive information securely.
  • Adhering to best practices in digital hygiene, such as creating strong passphrases and reporting suspicious activity promptly.

Given that many charities operate with limited resources, it is important to note that effective training does not have to be expensive. Free resources are available from government bodies like the Australian Signals Directorate to help educate your team and build a more resilient organisation.

Developing an Incident Response Plan

Despite the best preventative measures, a cyber security incident can still occur. Having a clear and practical incident response plan in place is essential for managing a data breach effectively and minimising its impact. A well-prepared plan enables your charity to respond quickly and decisively, which can reduce financial loss, protect your reputation, and lessen the harm to individuals.

Your organisation’s incident response plan should outline a step-by-step strategy to be followed in the event of a breach.

The key stages of an effective response include:

  • Identify and Contain: The first priority is to understand what has happened and take immediate steps to contain the breach, preventing it from affecting other systems or data.
  • Investigate and Assess: Once contained, you must investigate the nature of the incident to determine which systems and data were affected and assess the potential harm to individuals and the organisation.
  • Act and Notify: Based on your assessment, you must take action to mitigate the harm. If the breach is likely to result in serious harm, you are required under the NDB scheme to notify affected individuals and the OAIC.
  • Review and Improve: After the incident is resolved, it is crucial to review your policies, procedures, and systems to identify weaknesses and implement changes that will reduce the likelihood of a similar event happening again.

Conclusion

For Australian charities and NFPs, understanding cyber security threats and legal duties is fundamental to protecting their mission and the communities they serve. By implementing practical measures such as robust technical controls, comprehensive staff training, and a clear incident response plan, your organisation can build the resilience needed to safeguard sensitive data and maintain public trust.

Managing these complex responsibilities requires specialised knowledge, but you do not have to manage it alone. For trusted not-for-profit legal services tailored to the unique challenges of the NFP sector, contact the specialists at LawBridge today to ensure your organisation is secure, compliant, and ready to face future challenges with confidence.

Frequently Asked Questions

Published By
Mohamad Kammoun
JUMP TO...

Table of Contents

Insights

Tap into LawBridge Insights & Updates

Stay informed with our latest thinking on legal developments, commercial challenges, and opportunities across the sectors we serve.

What Our Clients Say

Our clients trust LawBridge to provide clear, reliable & practical legal support.

Practice Areas

Our Expertise

LawBridge offers specialised legal counsel tailored to the unique needs of the not-for-profit sector. Leveraging deep experience within charities and educational institutions, we provide guidance on governance, compliance, structuring, and operational matters, helping organisations advance their mission effectively.

LawBridge delivers specialised conveyancing solutions designed for the property development sector. We manage complex transactions, including off-the-plan contracts and large-scale settlements, ensuring your projects progress efficiently, mitigate risks, and achieve successful, timely completions.

We provide commercially astute legal advice and solutions for businesses operating in NSW and across Australia. From corporate structuring and transactions to litigation and compliance, our focus is on delivering pragmatic strategies that protect your interests and drive your commercial objectives forward.

We understand that personal legal matters require sensitivity and expertise. LawBridge provides clear, practical advice on personal law issues including family law, wills, and estate planning, ensuring your personal interests and assets are protected with a strategic, results-oriented approach.